search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
sorry, wrong version checked in
[phpmyadmin/arisferyanto.git] / libraries / grab_globals.lib.php
blobee148cdfc5182dedaeb9d53800194491240d0ada
1 <?php
2 /* $Id$ */
3 // vim: expandtab sw=4 ts=4 sts=4:
4
5
6 /**
7 * This library grabs the names and values of the variables sent or posted to a
8 * script in the $_* arrays and sets simple globals variables from them. It does
9 * the same work for the $PHP_SELF, $HTTP_ACCEPT_LANGUAGE and
10 * $HTTP_AUTHORIZATION variables.
11 *
12 * loic1 - 2001/25/11: use the new globals arrays defined with php 4.1+
13 */
14
15 // just to be sure there was no import (registering) before here
16 $variables_whitelist = array (
17 'GLOBALS',
18 '_SERVER',
19 '_GET',
20 '_POST',
21 '_REQUEST',
22 '_FILES',
23 '_ENV',
24 '_COOKIE',
25 );
26
27 foreach ( get_defined_vars() as $key => $value ) {
28 if ( ! in_array( $key, $variables_whitelist ) ) {
29 unset( $$key );
30 }
31 }
32 unset( $key, $value );
33
34 // protect against older PHP versions' bug about GLOBALS overwrite
35 // (no need to translate this one :) )
36 // but what if script.php?GLOABLS[admin]=1&GLOBALS[_REQUEST]=1 ???
37 if ( isset( $_REQUEST['GLOBALS'] ) || isset( $_FILES['GLOBALS'] )
38 || isset( $_SERVER['GLOBALS'] ) || isset( $_COOKIE['GLOBALS'] )
39 || isset( $_ENV['GLOBALS'] ) ) {
40 die( 'GLOBALS overwrite attempt' );
41 }
42
43 require_once './libraries/session.inc.php';
44
45 /**
46 * @var array $import_blacklist variable names that should NEVER be imported
47 * from superglobals
48 */
49 $import_blacklist = array(
50 '/^cfg$/i', // PMA configuration
51 '/^GLOBALS$/i', // the global scope
52 '/^str.*$/i', // PMA strings
53 '/^_.*$/i', // PMA does not use variables starting with _ from extern
54 '/^.*\s+.*$/i', // no whitespaces anywhere
55 '/^[0-9]+.*$/i', // numeric variable names
56 //'/^PMA_.*$/i', // other PMA variables
57 );
58
59 /**
60 * copy values from one array to another, usally from a superglobal into $GLOBALS
61 *
62 * @uses $GLOBALS['import_blacklist']
63 * @uses preg_replace()
64 * @uses array_keys()
65 * @uses array_unique()
66 * @uses get_magic_quotes_gpc() to check wether stripslashes or not
67 * @uses stripslashes()
68 * @param array $array values from
69 * @param array $target values to
70 * @param boolean $sanitize prevent importing key names in $import_blacklist
71 */
72 function PMA_gpc_extract($array, &$target, $sanitize = TRUE) {
73 if (!is_array($array)) {
74 return FALSE;
75 }
76
77 if ( $sanitize ) {
78 $valid_variables = preg_replace( $GLOBALS['import_blacklist'], '',
79 array_keys( $array ) );
80 $valid_variables = array_unique( $valid_variables );
81 } else {
82 $valid_variables = array_keys( $array );
83 }
84
85 $is_magic_quotes = get_magic_quotes_gpc();
86
87 foreach ( $valid_variables as $key ) {
88
89 if ( strlen( $key ) === 0 ) {
90 continue;
91 }
92
93 if ( is_array( $array[$key] ) ) {
94 // there could be a variable coming from a cookie of
95 // another application, with the same name as this array
96 unset($target[$key]);
97
98 PMA_gpc_extract($array[$key], $target[$key], FALSE);
99 } elseif ($is_magic_quotes) {
100 $target[$key] = stripslashes($array[$key]);
101 } else {
102 $target[$key] = $array[$key];
103 }
104 }
105 return TRUE;
106 }
107
108
109 // check if a subform is submitted
110 $__redirect = NULL;
111 if ( isset( $_POST['usesubform'] ) ) {
112 // if a subform is present and should be used
113 // the rest of the form is deprecated
114 $subform_id = key( $_POST['usesubform'] );
115 $subform = $_POST['subform'][$subform_id];
116 $_POST = $subform;
117 if ( isset( $_POST['redirect'] )
118 && $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {
119 $__redirect = $_POST['redirect'];
120 unset( $_POST['redirect'] );
121 } // end if ( isset( $_POST['redirect'] ) )
122 unset( $subform_id, $subform );
123 } // end if ( isset( $_POST['usesubform'] ) )
124 // end check if a subform is submitted
125
126 if (!empty($_GET)) {
127 PMA_gpc_extract($_GET, $GLOBALS);
128 } // end if
129
130 if (!empty($_POST)) {
131 PMA_gpc_extract($_POST, $GLOBALS);
132 } // end if (!empty($_POST))
133
134 if (!empty($_FILES)) {
135 foreach ($_FILES AS $name => $value) {
136 $$name = $value['tmp_name'];
137 ${$name . '_name'} = $value['name'];
138 }
139 } // end if
140 unset( $name, $value );
141
142 if (!empty($_SERVER)) {
143 $server_vars = array('PHP_SELF', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION');
144 foreach ( $server_vars as $current ) {
145 // its not important HOW we detect html tags
146 // its more important to prevent XSS
147 // so its not important if we result in an invalid string,
148 // its even better than a XSS capable string
149 if ( isset( $_SERVER[$current] ) && false === strpos( $_SERVER[$current], '<' ) ) {
150 $$current = $_SERVER[$current];
151 // already importet by register_globals?
152 } elseif ( ! isset( $$current ) || false !== strpos( $$current, '<' ) ) {
153 $$current = '';
154 }
155 }
156 unset( $server_vars, $current );
157 } // end if
158
159 // Security fix: disallow accessing serious server files via "?goto="
160 if (isset($goto) && strpos(' ' . $goto, '/') > 0 && substr($goto, 0, 2) != './') {
161 unset($goto);
162 } // end if
163
164 unset( $import_blacklist );
165
166 if ( ! empty( $__redirect ) ) {
167 // TODO: ensure that PMA_securePath() is defined and available
168 // for this script. Meanwhile we duplicate what this function does:
169 require('./' . preg_replace('@\.\.*@','.',$__redirect));
170 exit();
171 } // end if ( ! empty( $__redirect ) )
172 ?>
Browse-mode Improvements ++